Amendments to the claims, 

Listing of all claims pursuant to 37 CFR 1.121(c) 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

What is claimed is: 

1. (Currently amended) A method for authorizing a cUent to access a service 
based on compliance with a policy required for access to the service, the method 
comprising: 

specifying a policy required for access to the service , the policy including 
secui ity-ielevant requirements that the client must meet before the client is provided 

access to the service : 

detecting a request for access to the service from a the client; 

attempting authentication of the client based on credentials presented by the 

client; 

if the client is authenticated based on the credentials, determining whether the 
client is in compliance with said policy based, at least in part, on attributes of the client; 
and 

if the client is determined to be in compliance with said policy, providing access 
to the service. 

2. (Original) The method of claim 1, wherein the service comprises a remote 
service accessible by the client through a network. 

3. (Original) The method of claim 1, further comprising: 

restricting access to the service if the client is determined to be non-compliant 
with said policy. 

4. (Original) The method of claim 3, wherein restricting access includes 
assigning limited access privileges to the client. 

5. (Original) The method of claim 3, wherein restricting access includes issuing a 
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Kerberos ticket specifying limited access privileges if the client is determined to be non- 
compliant with the policy. 

6. (Original) The method of claim 1, wherein said policy comprises a security 

policy. 

7. (Original) The method of claim 6, wherein said security policy includes 
security measures required on the client. 

8. (Original) The method of claim 1, wherein said policy includes anti- virus 
measures required on the client. 

9. (Original) The method of claim 1, wherein said step of providing access 
includes issuing a Kerberos ticket specifying access privileges provided to the client. 

10. (Original) The method of claim 1, wherein attributes of the client include a 
selected one of a file integrity policy in effect at the client, a file installed at the client, a 
process running at the client, a particular checksum value at the client, and a registry 
entry at the client. 

11. (Original) The method of claim 1, wherein said detecting step includes 
detecting a request for access to a server by a remote client. 

12. (Original) The method of claim 1, wherein said detecting step includes 
detecting a request for access to a service on a computer system by another process on the 
computer system. 

13. (Original) The method of claim 1, wherein said attempting authentication step 
includes authentication based on user identity. 

14. (Original) The method of claim 1, wherein said attempting authentication step 
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includes using a selected one of Kerberos authentication, Pluggable Authentication 
Module (PAM) authentication, Extensible Authentication Protocol (EAP) authentication. 
Generic Security Service API (GSS-API) authentication, and trust negotiation in TLS 
(TNT) authentication. 

15. (Original) The method of claim 1, wherein said credentials include a selected 
one of a user name, a password, and a certificate. 

16. (Original) The method of claim 1, wherein said determining step includes 
obtaining attribute information from the client. 

17. (Original) The method of claim 16, wherein said step of obtaining 
information from the client includes requesting attribute information collected by a 
client-side component. 

18. (Original) The method of claim 1, wherein said determining step includes 
substeps of: 

providing a copy of the policy to the client; and 

performing a compliance check at the client to determine compliance with the 

policy. 

19. (Original) The method of claim 1, wherein said determining step includes 
obtaining information from a security evaluation service that has previously evaluated 
compliance by the client with the policy. 

20. (Currently amended) A computer-readable storage medium having processor- 
executable instructions for performing the method of claim 1. 

21. (Original) A downloadable set of processor-executable instructions for 
performing the method of claim 1. 
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22. (Currently amended) A system for authenticating and assigning access 
privileges to a client device for access to a service, the system comprising: 

a policy specifying access privileges to be assigned to a client device based on 
security-related attributes of the client device that are relevant to the client's access of the 
service ; 

a primary authentication module for receiving a request from a client device for 
access to the service and determining whether to authenticate the client device for access 
to the service; and 

a supplemental authentication module for examining attributes of a client device 
authenticated by said primary authentication module and assigning access privileges to 
the client device based on the policy. 

23. (Original) The system of claim 22, wherein said policy comprises a security 

policy. 

24. (Original) The system of claim 22, wherein said policy includes security 
attributes of the client device. 

25. (Original) The system of claim 22, wherein said step of examining attributes 
of the client device includes determining whether specified anti-virus measures are in 
effect on the client device. 

26. (Original) The system of claim 22, wherein said step of examining attributes 
of the client device includes examining a selected one of a file integrity policy in effect at 
the client device, a file installed at the client device, a process ranning at the client 
device, a particular checksum value at the client device, and a registry entry at the client 
device. 

27. (Original) The system of claim 22, wherein said primary authentication 
module uses a selected one of Kerberos authentication. Pluggable Authentication Module 
(PAM) authentication. Extensible Authentication Protocol (EAP) authentication. Generic 
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Security Service API (GSS-API) authentication, and trust negotiation in TLS (TNT) 
authentication. 

28. (Original) The system of claim 22, wherein said primary authentication 
module authenticates the client device based upon user identity. 

29. (Original) The system of claim 28, wherein the client device provides a user 
name and password to said primary authentication module for authenticating user 
identity. 

30. (Original) The system of claim 28, wherein the client device provides a 
digital certificate to said primary authentication module for authenticating user identity. 

31. (Original) The system of claim 22, wherein the supplemental authentication 
module includes a component on the client device for collecting attribute information. 

32. (Original) The system of claim 31, wherein the component on the client 
device evaluates the collected attribute information at the client device for determining 
compliance of the client device with the policy. 

33. (Original) The system of claim 32, further comprising: 
a policy server for providing the policy to the client device. 

34. (Original) The system of claim 22, wherein the supplemental authentication 
module receives information about attributes of the client device from the client device. 

35. (Original) The system of claim 34, wherein the client device provides 
attribute information to the supplemental authentication module in response to a message 
from the supplemental authentication module. 

36. (Original) The system of claim 35, wherein said attribute information is 
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provided as a selected one of a text string, an Extensible Markup Language (XML) 
document, and an Abstract Syntax Notation One (ASN.l) file. 

37. (Original) The system of claim 22, wherein the supplemental authentication 
module permits access to the service if the client device is in compliance with the policy. 

38. (Original) The system of claim 22, wherein the supplemental authentication 
module issues a Kerberos ticket specifying the client device's access privileges. 

39. (Original) The system of claim 22, wherein the supplemental authentication 
module restricts access to the service if the client device is non-compliant with the policy. 

40. (Original) The system of claim 22, further comprising: 

a policy server in communication with the supplemental authentication module 
for evaluating compliance by the client device with the policy based upon attributes of 
the client device. 

41. (Original) The system of claim 22, wherein the supplemental authentication 
module comprises a selected one of an anti-virus engine, a configuration checker, and a 
security engine. 

42. (Currently amended) A method for assigning privileges to a client to use a 
service based on an access policy, the method comprising: 

specifying an access policy for assigning privileges to a client to use the service 
based on attributes of the client , the policy including security-relevant requirements that 
the client must meet before the client is provided access to the service ; 

detecting a request for use of the service from a client; 

attempting authentication of the client based on user identity information provided 
by the client; 

if the client is authenticated based on user identity, collecting attribute 
information from the client; and 
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assigning privileges to the client to use the service based on the collected attribute 
information and the access policy. 

43. (Original) The method of claim 42, wherein said step of assigning privileges 
includes blocking access to the service if the client is determined to be non-compliant 

with the access policy. 

44. (Original) The method of claim 42, wherein said step of assigning privileges 
includes restricting access to the service if the client is determined to be non-compliant 
with the access policy. 

45. (Original) The method of claim 42, wherein set step of assigning privileges 
includes issuing a Kerberos ticket to the client. 

46. (Original) The method of claim 42, wherein said access policy includes 
security measures required on the client. 

47. (Original) The method of claim 42, wherein said access policy includes anti- 
virus measures required on the client. 

48. (Original) The method of claim 42, wherein said access policy includes an 
attribute required for the client. 

49. (Original) The method of claim 48, wherein said attribute includes a selected 
one of a file integrity policy in effect at the client, a file installed at the client, a process 
running at the client, a particular checksum value at the client, and a registry entry at the 
client. 

50. (Original) The method of claim 42, wherein said detecting step includes 
detecting a request for access to a server by a remote client. 



51. (Original) The method of claim 42, wherein said collecting step includes 
requesting attribute information from the client. 

52. (Original) The method of claim 51, wherein the attribute information is 

provided as a selected one of a text string, an Extensible Markup Language (XML) 
document, and an Abstract Syntax Notation One (ASN.l) file. 

53. (Original) The method of claim 42, wherein said collecting step includes 
using a client-side component for collecting attribute information. 

54. (Original) The method of claim 53, wherein said client-side component 
determines whether the client is in compliance with the access policy based on the 
collected attribute information. 

55. (Original) The method of claim 53, wherein said client-side component sends 
the collected attribute information to a policy server for determining whether the client is 
in compliance with the access policy. 

56. (Currently amended) A computer-readable storage medium having processor- 
executable instructions for performing the method of claim 42. 

57. (Original) A downloadable set of processor-executable instructions for 
performing the method of claim 42. 

58. (Currently amended) In a system comprising a client computer connecting to 
a service through a network, a method for regulating access to the service based on a 
specified access policy, the policy including security-relevant requirements that the client 
computer must meet before the client computer is provided access to the service, the 
method comprising: 

transmitting a challenge from the service to the client computer connecting to the 
service for determining whether the client computer is in compliance with said specified 
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access policy, wherein said access policy includes attributes of the client device computer 
that are acceptable for permitting access to the service; 

transmitting a response from the client computer back to the service, for 
responding to the challenge issued by the service; and 

blocking access to the service by the client computer if the client computer does 
not respond appropriately to the challenge issued by the service. 

59. (Original) The method of claim 58, wherein said access policy includes rules 
that are enforced against selected ones of users, computers, and groups thereof. 

60. (Original) The method of claim 58, wherein said challenge includes at least 
some rules of said access policy that are transmitted to the client computer. 

6 1 . (Original) The method of claim 58, wherein said access policy is provided at 
the client computer. 

62. (Original) The method of claim 61, wherein the client computer performs a 
compliance check for determining compliance with the access policy and returns the 
compliance check result in response to the challenge. 

63. (Original) The method of claim 58, wherein said attributes include a selected 
one of a file integrity policy in effect at the client computer, a file installed at the client 

computer, a process running at the client computer, a particular checksum value at the 
client computer, and a registry entry at the client computer. 

64. (Original) The method of claim 58, further comprising: 
otherwise, permitting access to the service by the client computer. 

65. (Original) The method of claim 64, wherein permitting the client computer to 
access the service includes assigning access privileges based on the response received 
from the client computer. 
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66. (Original) The method of claim 65, wherein assigning access privileges 
includes issuing a Kerberos ticket for providing said access privileges to the client 
computer. 

67. (Original) A downloadable set of processor-executable instructions for 
performing the method of claim 58. 

68. (Currently amended) A computer-readable storage medium having processor- 
executable instructions for performing the method of claim 58. 
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